CVE-2026-9517
Improper Access Control in CodeIgniter-StudentManagementSystem
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hemant6488 | codeigniter_studentmanagementsystem | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the CodeIgniter-StudentManagementSystem, specifically in the Students.php controller. It allows unauthenticated users to access and manipulate student data without any authentication or authorization checks.
An attacker can remotely access endpoints to view the full list of students, add new students, edit existing records, and delete students without logging in.
The root cause is improper access controls in the Student Management Handler component, particularly in the /index.php/students/addStudentView function.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized exposure and manipulation of sensitive student data.
- Attackers can view confidential student records without permission.
- Attackers can add, modify, or delete student data, potentially corrupting the database.
- The vulnerability can cause reputational damage to the organization managing the system.
- It may enable further exploitation if combined with other vulnerabilities like stored XSS or SQL injection.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the affected endpoints without authentication and observing if unauthorized access or manipulation of student data is possible.
For example, using command-line tools like curl to send requests to the vulnerable endpoints can help identify the issue.
- curl -X GET http://<target>/index.php/students/addStudentView
- curl -X GET http://<target>/index.php/students (to check if the full list of students is accessible without login)
- curl -X POST http://<target>/index.php/students/addStudentView -d "<student_data>" (to test if adding students is possible without authentication)
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper authentication and authorization checks on the affected endpoints, especially in the Students.php controller.
Restrict access so that only authenticated and authorized users can view, add, edit, or delete student records.
Additionally, monitor access logs for any suspicious or unauthorized requests to these endpoints.
If possible, temporarily disable or restrict access to the vulnerable endpoints until a proper fix or patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated and unauthorized access to student data, including viewing, adding, editing, and deleting records. This improper access control can lead to exposure and manipulation of sensitive personal information.
Such unauthorized access and potential data exposure can violate common data protection standards and regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to ensure confidentiality, integrity, and proper authorization.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations, leading to legal, financial, and reputational consequences for organizations using the affected system.